FreeBSD Security Advisory - FreeBSD 12.0 attempts to handle the case where the receiving process does not provide a sufficiently large buffer for an incoming control message containing rights. In particular, to avoid leaking the corresponding descriptors into the receiving process' descriptor table, the kernel handles the truncation case by closing descriptors referenced by the discarded message. The code which performs this operation failed to release a reference obtained on the file corresponding to a received right. This bug can be used to cause the reference counter to wrap around and free the file structure. A local user can exploit the bug to gain root privileges or escape from a jail.
d2a5625f6a6acebfab7130396aaad041FreeBSD Security Advisory - The callee-save registers are used by kernel and for some of them (%r8, %r10, and for non-PTI configurations, %r9) the content is not sanitized before return from syscalls, potentially leaking sensitive information. Typically an address of some kernel data structure used in the syscall implementation, is exposed.
4fa532c6e04c2f256ea9ead2ce8d94a8FreeBSD Security Advisory - Due to insufficient validation of network-provided data it may be possible for a malicious attacker to craft a bootp packet which could cause a stack buffer overflow. It is possible that the buffer overflow could lead to a Denial of Service or remote code execution.
88112b48fbe7ec1d8945f0322a19ff3fFreeBSD Security Advisory - Insufficient bounds checking in one of the device models provided by bhyve(8) can permit a guest operating system to overwrite memory in the bhyve(8) processing possibly permitting arbitrary code execution. A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root.
7dc5a9cc50e7bfcc59073a947a869ea7FreeBSD Security Advisory - Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. A remote attacker could cause the NFS server to crash, resulting in a denial of service, or possibly execute arbitrary code on the server.
c429bab0bdb3143934610a88f982eccdFreeBSD Security Advisory - Insufficient validation was performed in the ELF header parser, and malformed or otherwise invalid ELF binaries were not rejected as they should be. Execution of a malicious ELF binary may result in a kernel crash or may disclose kernel memory.
00b792f169afd323a3ed205a6d9a506dFreeBSD Security Advisory - A researcher has notified us of a DoS attack applicable to another operating system. While FreeBSD may not be vulnerable to that exact attack, we have identified several places where inadequate DoS protection could allow an attacker to consume system resources. It is not necessary that the attacker be able to establish two-way communication to carry out these attacks. These attacks impact both IPv4 and IPv6 fragment reassembly. In the worst case, an attacker could send a stream of crafted fragments with a low packet rate which would consume a substantial amount of CPU. Other attack vectors allow an attacker to send a stream of crafted fragments which could consume a large amount of CPU or all available mbuf clusters on the system. These attacks could temporarily render a system unreachable through network interfaces or temporarily render a system unresponsive. The effects of the attack should clear within 60 seconds after the attack stops.
6d1a3e8fec6cb509fd14501d91ac75b5FreeBSD Security Advisory - When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but decrypted data was subsequently processed. This opened wpa_supplicant(8) to abuse by decryption and recovery of sensitive information contained in EAPOL-Key messages. All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for example, the group key.
6161d24d13a49c91a2677cc51cfcb2a2FreeBSD Security Advisory - On certain Intel 64-bit x86 systems there is a period of time during terminal fault handling where the CPU may use speculative execution to try to load data. The CPU may speculatively access the level 1 data cache (L1D). Data which would otherwise be protected may then be determined by using side channel methods. This issue affects bhyve on FreeBSD/amd64 systems. An attacker executing user code, or kernel code inside of a virtual machine, may be able to read secret data from the kernel or from another virtual machine.
d2d8d94bd9c95b68c83e957598d1c85cFreeBSD Security Advisory - One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost.
0bdd64abf1fb28bb2f9ee045a5e2a080FreeBSD Security Advisory - A subset of Intel processors can allow a local thread to infer data from another thread through a speculative execution side channel when Lazy FPU state restore is used. Any local thread can potentially read FPU state information from other threads running on the host. This could include cryptographic keys when the AES-NI CPU feature is present.
1f6a78529b67d0c29228595a5402e4ecrldns is an open source lightweight DNS server for linux, netbsd, freebsd, and openbsd. Runs on x86 and x86_64 architectures.
5b3cb3b9e8efbdc698d6294abcbf309dFreeBSD Security Advisory - The MOV SS and POP SS instructions inhibit debug exceptions until the instruction boundary following the next instruction. If that instruction is a system call or similar instruction that transfers control to the operating system, the debug exception will be handled in the kernel context instead of the user context. An authenticated local attacker may be able to read sensitive data in kernel memory, control low-level operating system functions, or may panic the system.
05c71c8dc70ff40f5b7968260285a503FreeBSD Security Advisory - The length field of the option header does not count the size of the option header itself. This causes a problem when the length is zero, the count is then incremented by zero, which causes an infinite loop. In addition there are pointer/offset mistakes in the handling of IPv4 options. A remote attacker who is able to send an arbitrary packet, could cause the remote target machine to crash.
d7bfefe5e014e4d4be99e8fd294dc2dcFreeBSD Security Advisory - Insufficient validation of user-provided font parameters can result in an integer overflow, leading to the use of arbitrary kernel memory as glyph data. Characters that reference this data can be displayed on the screen, effectively disclosing kernel memory. Unprivileged users may be able to access privileged kernel data. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.
95dfa2586849e8c84b5f22b2340cdc03FreeBSD Security Advisory - A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here.
a26c0e3e31cfe9f94c14cc22c3de9089FreeBSD Security Advisory - Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results.
2b9bf1adfcbbe512db7921f04fd121f9FreeBSD Security Advisory - Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results.
aa5199cf207d73b48003502dfd3dee02This is a note from the FreeBSD team that they were notified of the issue in late December and received a briefing under NDA with the original embargo date of January 9th. Since they received relatively late notice of the issue, their ability to provide fixes is delayed.
3d8597163525c9232966500bae696d26FreeBSD Security Advisory - Invoking SSL_read()/SSL_write() while in an error state causes data to be passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. Various other issues were addressed.
3475ce3c92c45de6eb4652ec337d3e53FreeBSD Security Advisory - Not all information in the struct ptrace_lwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information of the kernel stack of the thread is possible from the debugger. Some bytes from the kernel stack of the thread using ptrace(PT_LWPINFO) call can be observed in userspace.
4185c6c38d161594900777f2d539e495FreeBSD Security Advisory - The kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible. Some bytes from the kernel stack can be observed in userspace.
85acdc3509c9475e03880d4caef12c90FreeBSD Security Advisory - Named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system. A malicious user that has access to a jailed system is able to abuse shared memory by injecting malicious content in the shared memory region. This memory region might be executed by applications trusting the shared memory, like Squid. This issue could lead to a Denial of Service or local privilege escalation.
b2681ba643cf5c4f71bab8fbcbe6dd35FreeBSD Security Advisory - A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used.
dd1ceecd8830ca90a5666d6a9425ade7FreeBSD jail incompletely protects the access to the IPC primitives. The 'allow.sysvipc' setting only affects IPC queues, leaving other IPC objects unprotected, making them reachable system-wide independently of the system configuration. Versions 7.0 through 10.3 are affected. Proof of concept included.
e7bb338f4932b0dcb05045dbf728194c
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed